On Monday, Apple announced that it was releasing emergency security updates for its iOS and MacOS operating systems after the company discovered a new zero-click vulnerability with help from researchers at the University of Toronto’s Citizen Lab. The Citizen Lab researchers released a report that same day detailing how they had come across the exploit Apple patched by examining the phone of a Saudi activist who had been targeted using NSO Group’s controversial Pegasus spyware.
While the news that NSO Group is helping governments infiltrate smartphones and computers using sophisticated exploits and vulnerabilities is not surprising, the reach and ease of this latest exploit, dubbed FORCEDENTRY by Citizen Lab, is still pretty stunning. It could be used to compromise all Apple phones, tablets, computers, and watches—and worse, since it could be used to infect those devices without a person actively clicking on anything to download malicious code, it was all but impossible to protect against. (Until Monday! Go update all your Apple devices immediately! Finish this article afterward! Here’s how to update your iPhone, Apple Watch, and macOS for desktop or laptop.)
NSO Group, an Israeli company that sells digital surveillance tools to governments around the world, has come under fire many times before for providing those governments with sophisticated technical exploits that can be used to target dissidents, activists, and journalists. Its tools have been implicated in the 2018 assassination of Jamal Khashoggi, and earlier this year, a list of more than 50,000 cellphone numbers that were reportedly targeted by its Pegasus spyware was leaked to several news organizations. (NSO Group denied the list contained Pegasus targets and then announced that it would stop responding to press inquiries.) That list helped demonstrate the reach and scale of the company’s operations, but it wasn’t clear how the malware had infiltrated so many devices belonging to people who were paying close attention to their digital security.
Anyone can infiltrate 50,000 cellphones, but compromising phones that belong to journalists and activists who are taking cyber hygiene seriously is an entirely different—and much harder—task. That’s because many cybersecurity incidents begin with a moment of carelessness—someone opens an email attachment they shouldn’t have, or fills out a form on an insecure website, or sticks an unfamiliar USB drive into their computer. That’s also why so much basic cyber hygiene guidance focuses on encouraging you to double-check the “from” addresses in your email or heed browser warnings—generally speaking, it’s difficult for someone to compromise your computer without tricking you into downloading something or revealing your credentials at some point along the way. But one of the hallmarks of NSO Group’s tools is that many of them can infect devices without even requiring the device owner to click on or download anything. That’s why FORCEDENTRY is described as a “zero-click” exploit (not to be confused with a zero-day exploit, which is an exploit that has never before been discovered or patched—and which also applied to FORCEDENTRY).
That’s what makes exploits like the one announced Monday so dangerous and so scary even to people who are vigilant about cybersecurity. It’s also part of why NSO Group is so widely regarded with suspicion and hostility: It’s not just selling spyware to governments to use on journalists, dissidents, and activists—it’s selling incredibly advanced spyware the likes of which many of the countries NSO sells to probably would not be able to develop on their own.
And because these zero-click exploits are so passive, they’re often also hard to detect and trace; users can’t easily look back through their emails or downloads to identify a particular suspicious message or file. The Citizen Lab was only able to alert Apple to the problem because earlier this year a Saudi activist who had been targeted by the NSO Group Pegasus spyware provided the Citizen Lab with an iTunes backup of their phone for the researchers to analyze. The Citizen Lab researchers identified several suspicious .gif files on the phone backup and sent those files to Apple on Sept. 7. Apple then analyzed them, identified the exploit they took advantage of, and released the relevant patches less than a week later. That short timeline is a sign of both Apple’s engineering prowess and just how seriously the company took this exploit. News of yet more bad behavior by NSO Group feels a little like déjà vu, but each and every zero-click zero-day is still a big deal, every single time.
The Citizen Lab concludes its report on FORCEDENTRY on a surprisingly optimistic note, predicting that “NSO Group’s business model contains the seeds of their ongoing unmasking. Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here.” I don’t know if I’m quite as confident as they are that the researchers and companies tracking down and patching these vulnerabilities and exploits are going to be able to keep pace with NSO’s arsenal of tools. If anything, the past few years have shown us just how many technical exploits NSO has up its sleeve and how many countries are willing to pay it to keep coming up with more.
Still, it is reassuring to see how quickly Apple and Citizen Lab were able to get the pieces in place to patch this latest discovery. And perhaps there’s even value in drawing more major tech companies into the process of dealing with NSO Group. Facebook famously sued NSO following the discovery that NSO Group had been exploiting a WhatsApp vulnerability. So long as the Israeli government is still unwilling to regulate its spyware industry, maybe the big tech companies can apply some much-needed pressure to both the company and the country to clean up their act.